Rossander’s Security Reader

It’s an interesting morning. I received three spam messages in rapid succession, each alleging to come from “NSA online security” and reporting a “critical vulnerability” in “a certain types of our token devices.” While I don’t expect perfect grammar from a government functionary, the mistakes in this email were pretty obvious. The alleged link to “fix” the problem point to “national-security-agency.com” which looks pretty plausible until you remember (or look up) that the real NSA uses the domain nsa.gov.

What’s interesting about this case is that it’s a fairly blatant example of an attempt to turn your computer into a zombie using the ZeuS Command&Control attack. If I had been stupid enough to click the link, I would have launched an executable program that would log every keystroke that I make on the machine and that would grab a copy of every form I fill out online. Since that would include my online banking login page, it would have given the hacker access to all my banking information.

ZeuS is a moderately old Trojan Horse but it is remarkably difficult for anti-virus programs to detect, even when kept completely up-to-date. ZeuS is alleged to be one of the largest botnets in the world, infecting some 3.6 million computers in the US alone.

The continued success of attacks like this show why you can never rely only on your anti-virus software. Read your email carefully, be suspicious and never click a link if you’re not sure that it’s safe to do so. Remember – it’s not paranoia when they really are out to get you.

I just read two security articles with some interesting implications when you take them together. The first noted that anti-virus software, while still vitally important to your computer, only stops 35-40% of malware attacks – down from about 47% last year. The second described a “sexy Candid Camera Prank” attack being currently launched against Facebook users.

In this Candid Camera Prank attack, someone posts fake video message on your profile page showing a woman on a bicycle in a short skirt. Clicking the movie thumbnail does not display the video but instead takes you to a Facebook application that tries to get you to download a “video player” which is really the old Hotbar adware. If you do fall for it, not only are you flooded with spam and other junk but your Facebook account is now used to spread the infection to your friends.

The interesting thing about putting the two articles together is that the hackers are no longer just trying to attack your computer directly. Sure, many still use old-fashioned scripts and viruses that try to directly attack your computer. But more and more have largely moved their attacks to social media. Their attacks depend more on you to fall for a trick, giving them an inlet to your network. Facebook, MySpace and other social media sites are very powerful and important tools but the same things that make them valuable to you also make them easy avenues to use for attacks against you.

Having a good anti-virus program and keeping it up to date is still vitally important. Even though the ratio is down, there are still hundreds of attacks against the average computer every day. But for the new attacks, vigilence and paranoia are the word of the day. No matter how good your technical defenses are, you can not rely on them alone.

If something looks too good to be true, it probably is. Trust your suspicions.

This post is a little more technical than our norm but I think it’s important to understand some of the buzzwords around security. SQL Injection attacks (pronounced see-kwel) are a tactic that a hacker can use to get your computers to do more than they should.

SQL stands for Standard Query Language and is the code that almost all databases use when answering your questions. SQL is what brings up your account when you log onto your bank to see your latest statement. Any but the most rudimentary website uses a SQL database to hold, sort and present the content to you, the reader.

As long as the user plugs in things that make sense (like a name into the username field), the query will run properly and will return only the results for your account. But what happens if you type something unusual into that field? What if you put in an account number instead? If the website was well-designed, the request will simply fail. If, however, the website was not designed properly, the computer may return something – but it won’t be anything that you intended.

For example, a hacker might try typing ' OR 1=1 -- into a date field. The “OR 1=1” part will always be true. The -- characters tell the computer to consider everything after as a comment (that is, a note the programmer left to him/herself as an explanation of the code). The result is a request for all lines of data where the first part is true. But 1=1 is always true so the computer spews out all the data in that table. Not only does the hacker get his own account details, he gets yours and everyone else’s as well.

Other commands can be crafted to modify data, add tables, execute commands, etc. If a site is vulnerable to a SQL-injection attack, there is little that the hacker can’t do.

How do you stop it? The easiest way to prevent a SQL-injection attack is to design your application to validate its inputs. The username field should have only text characters (or maybe also some numbers but nothing that looks like computer code), the credit card number field should only accept numbers, etc. Define the acceptable character sets and enforce those whitelists. Force the inputs to conform to specific patterns when special characters are needed (i.e. dd-mm-yyyy). And validate the data length of all inputs.

These are all basic checks that the folks building your website should be making. Put the IT processes and controls in place to make sure that they are building you a quality product and won’t leave your data vulnerable to the world.

By the way, to test whether a site has their own security in place, type something unusual into a field and see what happens. If you get a simple error telling you the allowable format (or if the computer simply rejects the request), you’re probably okay. If you see a lot of computer gobbledy-gook, you might not want to let that company have your confidential data.

Sorry I haven’t posted in a while but it’s been an interesting few weeks. If you’d looked at this site on the morning of 6 October, you would have seen a very different page – black background, yellow arabic writing and some very disturbing pictures. The vandal replaced the front page of our local beekeepers’ website with very similar content. It was a rude surprise, especially so early in the day.

Some background – I maintain the beekeepers’ website for them and host both that site and this one through a third-party provider. And while I do all of the writing for the infosec blog, I have a couple of other beekeepers who were helping to maintain the beekeepers’ site. It’s all volunteer work and I’m so glad for any help I can get that it’s hard to impose a lot of strict standards or hurdles. Besides, who cares about hacking a beekeeper club’s website?

Apparently lots of people.

It’s unlikely that we will be able to prove exactly how the hacker got in but it was almost certainly a scripted attack – a robot run by a hacker against anything he/she could find vulnerable – not a targeted attack. (For example, the hacker vandalized only pages titled index.htm, the standard name for a site’s home page, and none of the pages which had human-created names. Any targeted attack would have overwritten the other pages as well. Not only would it be more pages hacked but the vandalism might go unnoticed longer.) Our best guess is that the hacker go in because we weren’t careful enough about passwords. One of my authors had a password the same as his username. Even a kiddy-script can test for passwords that easy.

Lessons Learned:

• Any site is vulnerable even if you don’t think that anyone would bother with little old me.
• Passwords are important, even when you think they aren’t.
• Volunteer time is valuable but only if it’s the right volunteer. Even if his/her heart’s in the right place, sometimes that time is more expensive than it’s worth.
• Internal segmentation would have limited the damage. Merged accounts makes it easier to manage the domains but separate accounts would have kept the hacker from “promoting” himself across to the other accounts so easily.
• Monitoring is a good thing. In my case, it was dumb luck. My wife has the site as one of her home pages and noticed it as soon she logged on in the morning.
• Good backups make repairing the damage easy. My backups are automatically managed through third-party host and they do an excellent job. Once we discovered the vandalism and collected the evidence, the act of repairing the vandalism took mere minutes. I wish I could take credit for it but I got lucky and picked a good vendor.

Anyone can get hacked. Do what you can to minimize your chances, discover it quickly and plan so the costs to repair are low. I can’t say that I’m proud of this post but I do hope that you can learn from my mistakes.

If you’re a home user, skip this post. As long as you have some form of anti-virus on your computer and you keep it current, you should be okay.

If you run a small business with a network (that is, anything more than one computer and your credit card reader), read Mary Brandel’s recent article in CSO Online about the Dos and Don’ts of selecting an anti-virus solution for your enterprise. The short version is that there is a lot more out than just anti-virus these days. Look around for a good package that does more than just virus-checking. That was good enough a few years ago but not any more.

You may also be able to save some money by buying an integrated package and consolidating your security products some.

On point worth mentioning: Brandel is a fan the use of whitelists but I’m not so sure. Whitelists are lists of applications which are allowed to run in your environment. If you have a comprehensive list, then anything not on the list must be malicious and gets blocked. In theory, it’s a great idea. In practice, it requires a great deal of control to build and maintain that list. In a dynamic, small business, you may lose some flexibility.

Her other points (especially the one on page 4 about malware removal) are spot-on.